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1 

2 REMARKS 

3 

4 These remarks follow the order of the paragraphs of the office action. Relevant portions of the 

5 office action are shown indented and italicized, 

6 

7 DETAILED ACTION 

8 

9 Response to Amendment 

10 

1 1 In response, the applicants respectfully state that the exceptions to the cited art previously stated 

12 still stand, 
13 

14 Specification 

15 

1 6 The disclosure is objected to because of the following informalities: on line 5 of the 

1 7 claim 1 , "each the events" should be "said events" Appropriate correction is required, 
18 

19 In response, the applicants respectfully state that although it is believed that a claim amendment 

20 need not be reflected as a specification change, in order to be responsive, the specification is 

21 amended on line 5 of the claim I , replacing "each the events" with "said each event." 
22 

23 Claim Objections 

24 Claim I is objected to because of (he following informalities: online 5 of the claim J, 

25 "each the events " should he "said events ". . Appropriate correction is required. 

26 

27 In response, the applicants respectfully state that claim 1 is amended to 'said each event'. This 

28 overcomes the claim objection of claim 1 . 

29 

30 Claim Rejections - 35 (JSC § 101 

31 

32 35 USC. 101 reads as follows: 

33 Whoever invents or discovers any new and useful process, machine manufacture, or 

34 composition if matter, or any new and useful improvement thereof, may obtain a patent 
3 5 therefor, subject to the conditions and requirements of this title. 

36 The base claim 1 recite a method of monitoring events in a computer network and the 

37 claim 10 recites "a computer program containing a prog-am code to carry out the steps 

38 of the method of claim f ". thus, the claim f's method is a computer implemented method 

39 claim. The claim I recites steps in a computer program. 
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1 Patentable subject matter is held to exclude laws of nature, natural phenomena, and 

2 abstract ideas. Diamond v, IJehr, 450 U.S 175, 185, 101 SCt 1048, 1056 (1981), 

3 Applicants ' claim 1 recites steps m a computer program, which is not a process, ami thus 

4 the claim 1 is non-statutory. 

5 Only an applicant 's claims are entitled to the protection of the patent system; therefore 

6 claims, if expressing ideas in a mathematical form, must describe something beyond the 

7 majnjmfa • teas in ordei to qualify as patentable subject matter, in re Warmerdam, 

8 at 1 360. (.been the absence (ferny practical effect or significant independent physical 

9 acts, the applicants ' claim fails to adequately define the claimed invention within the 

10 domain of paten/able subject matter The claimed invention as a whole must accomplish a 

11 practiced application. Thai is, it must produce a "useful, concrete and tangible result. " 

12 State Street, 149 F. 3d at 1373, 47 USPQ2dai 1601-02. The purpose oft this requirement 

13 is to limit patent protection to invent tons that possess a certain level of "real world" 

14 value, as opposed ia subject matter that represents nothing more than art abstract idea 

15 or mathematical concept or ts simply starting point for future investigation or research 

1 6 (Brenner v. Manson. 383 U.S. 519 528-36 148 USPO 689, 693- 96); In re Ziegler, 992, 

1 7 F,2d 1 197, 1200-03,26 USP02d 1600, 1603-06 (fed. Or. 1993}}. 

1 8 Accordingly, a complete disclosure should contain some indication of the practical 

19 application for the claimed invention, i.e., why the applicant believes the claimed 

20 invention is useful. Given the absence of am naetica ejfei •• vi ifu t > lependent 

2 1 physical acts, the applicants ' claim fails to adequately define the claimed invention 

22 within the domain of patentable subject matter. 
23 

24 Claims 2-1 1, 16-17 are rejected for the same reason set forth in above. 

25 



26 In response, the applicants respectfully state that claim 1 is not a computer implemented method 

27 claim. Claim 1 is a process having the particular steps indicated. There is nothing abstract about 

28 the steps of claim 1. Claim 1 includes tangible non-abstract ideas of a physical process. It 

29 includes at least one event trigger, event monitor, event display, display labels, event plots, 

30 viewer, event visuaiizer, etc. 
31 

32 Dependent claim 10 is a limitation upon independent claim 1 . It does not reflect upon its parent 

33 claim negatively. If any problem exists it is with claim 10 not claim I Claim 10 let us say, is for 

34 claim differentiation of method claim 1 . As a matter of fact the principle of claim differentiation 

35 makes claim 10 show that not all steps of claim 1 are computer implemented, otherwise claim 10 

36 would not be necessary. Claim 10 includes components any of which can be implemented with 

37 tangible physical media. Claim 10 is amended to better show that it is a way to implement all 

38 the steps of claim I using a computer readable program. This overcomes the claim objection of 

39 claim 1 
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1 

2 The claim 1 / recite "said program code being stored on data carrier ". It is suggested 

3 that the preamble he amended to recite - said program code heing stored on a computer 

4 readable medium. " 
5 

6 In response, the applicants respectfully state that claim 1 1 is amended to show that the program 

7 code is stored on a computer readabl e medium. This overcomes the claim rejection of claim 1 1 . 
8 

9 The claim J 3 recites , "a computer usable medium ". It is suggested thai the preamble 

10 he amended to recite ~ a computer readable medium, " 

11 

12 In response, the applicants respectfully state that claim 13 is amended to show that, the program 

1.3 code is stored on a computer readable medium This overcomes the claim rejection of claim 13. 
14 

15 The claim 14 recites "a program storage device readable by machine ". It is suggested 

1 6 that the preamble be amended to recite - a computer readable medium. " 
17 

1 8 In response, the applicants respectfully state that claim 1 4 is amended to show that \ t is readable 

1 9 by a computer, This overcomes the claim rejection of claim 1 4. 
20 

2 1 The claim 15 recites "a computer usable medium ". It is suggested that the preamble he 

22 amended to recite - a computer readable medium. " 
23 

24 In response, the applicants respectfully state that claim 15 is amended to recite - a computer 

25 readable medium. This overcomes the claim rejection of claim 15. 



26 

27 Claim Rejections - 35 liSC § 112 

28 The following is a quotation of the second paragraph of 35 (JSC 112: The specification 

29 shall conclude with one or more claims particularly pointing out and distinctly claiming 

30 the subject matter which the applicant regards as his invention. 

3 1 Claims 1-20 are rejected under 35 USC. 112. second paragraph, as being indefinite for 

32 Jailing to particularly point out and distinctly claim the subject matter which applicant 

33 regards as the invention. 

34 For example, the claim I recites "attribute values allocated to a given set of attributes 

35 of said each event ", "various event attributes ", "a primary attribute of the events ", "a 

36 second display label to the events indicating (he attribute values of the attributes '. '"a 

37 secondary attribute of said each event". It is confusing whether the attributes as recited 

38 ire the claim J are associated with a plurality of events or a single event. It is further 

39 confusing whether the attribute values as recited in the claim I are associated with a 
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1 plurality of attributes or a single attribute such as a primary attribute or a secondary 

2 attribute. Clarification is required 

3 Although multiple attribute values related to the primary attribute cart he presented on 

4 the some display, it is not ascertained that the attribute values are allocated to a plurality 

5 of attributes or to a single primary attribute as applicant 's claim 1 later recites "a 

6 secondary attribute ". 

7 Moreover it is not ascertained from the claim invention set forth m the claim 1 whether 

8 the claim limitation of "attributes " refer to numerical attributes or categorical attributes 

9 or the display coloring attributes. Applicant Hailed to particularly point out and 
10 distinctly claim the subject mailer which applicant regards as invention. 

11 

12 Claims 2-13 and 1.5-19 depend upon the claim I and are rejected due to their 

1 3 dependency on the claim 1. 
14 

1 5 In response, the applicants respectfully stale that it was shown above that claim 1 is amended to 

.16 show that each event has a set of attributes. As stated in claim f each event has "a given set of 

] 7 attributes." As further stated attributes have "attribute values allocated to a given set of 

1 8 attributes of said each event. Claim 1 is amended to make it more clear and definite. The word 

19 'attributes' is used as defined in the specification. Page 1, lines 13-19 which read: 

20 "Network activities are usually monitored by the intrusion detection system as a time- 

21 ordered sequence of events wherein each event is characterized by a given set of 

22 attributes, so-called dimensions. Each event therefore forms an n-dimensional space." 
23 

24 " The monitoring of a high number of events each having many attributes triggered by an 

25 intrusion-detection system is a task that requires high skill and attention from the 

26 monitoring staff since a large fraction of the triggered events is regularly reported. 



27 Each event having a set of attributes. This overcomes the rejection under 35 USC. 1 12, second 

28 paragraph, of claim 1 and Claims 2-13 and 15-19 which depend on claim 1 . 

29 
30 

3 1 The, claim 14 is subject to the same rationale of rejection set forth in the claim 1. 

32 

33 In response, the applicants respectfully state that claim 14 is amended as in claim I . This 

34 overcomes the rejection under 35 USC. 1 12, second paragraph, of claim 14. 

35 

36 The claim 20 is subject to the same rationale of rejection set forth in the claim 1. 
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1 

2 In response, the applicants respectfully state ha claim 14 is amended as in claim 1, This 

3 overcomes the rejection under 35 USC. 1 12, second paragraph, of claim 20. 
4 

5 Claim 10 recites the limitation "the steps" in line I of the claim. There is insufficient 

6 antecedent basis far this limitation in the claim. 
7 

8 In response, the applicants respectfully state that claim 10 is amended to overcome the rejection 

9 under 3 5 USC . 1 1 2, second paragraph. 
10 

1 1 Claim 11 recites the limitation "the steps" in line 1 of the claim. 'There is insufficient 

1 2 antecedent basis for this limitation in the claim. 
13 

14 In response, the applicants respectfully state that claim 1 1 is amended to overcome the rejection 

1 5 under 35 USC. 1.1.2, second paragraph. 
16 

1 7 Claim 12 recites the limitation "the steps" in line 2 of the claim and the device " in lines 

i 8 1-2 of the claim. There is insufficient antecedent basis for this limitation in the claim, 

1.9 

20 In response, the applicants respectfully state that claim 12 is amended to overcome the rejection 

21 under 35 USC. 1 1 2, second paragraph. 
22 

23 Claim 13 recites the limitation "the steps" in line 4 of the claim. There is insufficient 

24 antecedent basis for this limitation in the claim. 
25 

26 In response, the applicants respectfully state that claim 1 3 is amended to overcome the rejection 

27 under 35 USC. 1 12, second paragraph. 

28 

29 Claim 15 recites the limitation "the functions'' in lines 4-5 of the claim. There is 

30 insufficient antecedent basis for this limitation in the claim. 
31 

32 In response, the applicants respectful ly state that claim 15 is amended to overcome the rejection 

33 under 35 USC. 1 1 2, second paragraph. 
34 

35 Claim 20 recites the limitation the method" in line 2 of the claim. There is insufficient 

36 antecedent basis for this limitation in the claim. 
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1 The scope of claim 20 is confusing as it is unclear whether an apparatus (i.e., an article 

2 of manufacture) or a method (i.e., a method) is being claimed. Clarification is required. 
3 

4 In response, the applicants respectfully state that claim 15, for an article of manufacture is 

5 amended to overcome the rejection under 35 USC. 1 12, second paragraph. 



6 

7 Claim Rejections -35 USC § 103 

8 

9 The following is a quotation of 35 USC. 103(a) which forms the basis for all 

10 obviousness rejections set forth in this Office action: 

1 1 (a) A patent may not he obtained /hough the invention is not identically disclosed or 

1 2 described as set forth in section. 102 of this title, if the differences between the subject 

1 3 matter sought to be patented and the prior art are such thai the subject matter as a whole 

14 would have bean obvious at the time the invention was made to a person having ordinary 

1 5 skill in the art to which said sub feet matter pertains. Patentability shall not he negatived 

16 by the manner in which the invention is made. 
17 

J 8 Claims 1-20 are rejected under 35 (JSC. J 03(a) as being unpatentable over & Ma, et 

19 at, "EventMitter: An integrated mining tool for Scalable Analysis of Event Data ", May 

20 21 200/ wwm o-- at h hm.com in view oft.) Kranzlmnllcn \ l ntdbne? I Volkert 

21 "Event graph visualization for debugging large applications'', Proc. of the 

22 SIGMETRICS symposium an Parallel mid distributed tools, Philadelphia, PA , United 

23 States, Pages: I OH - 117 (hereinafter Kranzltmdler). 
24 



25 In response, the applicants respectfully state that Claims 1-20 are apparently not made obvious 

26 by the combined art references to S. Ma, et a!., and KranzlmuHer. Applicants respectfully state 

27 that continued exception is taken with the so called equivalencies of elements in Claims 1-20 and 

28 the cited art, as stated previously. This is particularly in regard to use of words in claims 1-20 of 

29 'attributes', 'primary', 'events', 'display label' etc. Further exception is taken with the so called 

30 equivalencies of elements in Claims 1.-20 and the combined art. The present invention, claimed 

31 in Claims 1-20, is for: 



32 "Monitoring events triggered by a computer network. Each event being provided with 

33 attribute values al located to a given set of attributes, and providing an event display, 

34 determining a primary attribute and a corresponding display label of the events selected 

35 from the given set of attributes presented with attribute values on a cross plot, providing a 

36 pattern algorithm to detect whether an arrived event is part of a given pattern, providing a 

37 mapping algorithm to map attribute values on the cross plot, allocating a second display 
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1 label to the events indicating the attributes uncovered as part of the given pattern, plotting 

2 events arriving and including an attribute value allocated to a primary attribute into the 

3 cross plot, and plotting events arriving within the time period and detected by the pattern 

4 algorithm as part of the gi ven pattern into the cross plot with the second display label 

5 indicating the given pattern, " 
6 

7 The cited document of S. Ma, et al, Dated: May 21, 2001, is entitled; "EventMiner; An 

8 integrated mining too! for Scalable Analysis of Event Data/ The Ma abstract reads : 

9 "Exploring large data sets typical ly involves activities that interwoven the following: 

10 querying databases, mining the results returned, and visualizing both the raw data and the 

11 parterres discovered. This interweaving of functions arises both from the semantics of 

12 what the analyst hopes to achieve and from salabiiity requirements for dealing with large 

13 data volumes. Herein is described a tool, EventMiner, that integrates querying mining , 

14 and visualization so as to better analyze temporal data. We discuss the novel visualization 

15 techniques employed such as visualizing the results of data mining, Also, we address the 

16 large scale visualization of categorical data and how intelligent ordering of data can aid 

17 in this task. Though out, we illustrate the capabilities of EventMiner by applying it to 

1 8 event data from large computer networks. 
19 

20 Thus Ma is concerned with mapping events that have been queries from a database along the 

21 temporal axis, i.e. In the order in which they were presumably received, or recorded. Ma 



22 recognizes that time is only one possible visualization axis however does not offer any 

23 alternatives, nor gives indication of the potential use or usefulness of any other axis. Ma is 

24 primarily concerned with abstracting data from large volume to abstract visual representations. 
25 

26 Ma is not concerned with visualizing data that are being received from sensors directly, i.e. 

27 without intermediate storage in a database., and, even more importantly, is not concerned with 

28 visualizing the data along primary or secondary attribute axis, as in claims 1-20. In this present 

29 patent we believe the value of the visualization does not come from the abstraction that Ma 

30 offers but b> automatical^ mn " > ' t large variety ot visualizations tlong man> different 
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1 attribute axis, and identifying correlations etc., by superimposing and cross-referencing these 

2 visualizations as in claims 1-20. 
3 

4 The other cited document of D. Kranzlmuiler, S. Gradbner, j. Volkert, is entitled: "Eventgraph 

5 visualization for debugging large applications". The Kranzlmuiler abstract reads : 



6 "Software repair and performance tuning of parallel programs are two difficult tasks in 

7 the parallel software lifecycte 'The difficulties are further increased, if the target system 

8 is a parallel machine executing a program with many processes on a large amount of 

9 data. The existing debugging tools attack this problem with different approaches 

1 0 concerning monitoring and visualization techniques. The event graph visualization or 

1 1 space-time diagram is only one possibility to perform the analysis, but it is included by 

12 many existing tools. 

13 An example for usage of the event graph is ATEMPT, A Tool for Event 

14 ManiPuiaTion. The functionality for error debugging (errors in the communication 

15 structure, race conditions) and for performance analysis (bottlenecks through blocking 

16 communication) is bated on this global communication graph. Extensions to the regular 

17 visualization are the abstraction mechanisms provided by A TEMPT. Through horizontal 

18 end vertical abstraction the event graph can be used to debug even large applications. The 

1 9 key relies on reducing the visualized information of data that are important for error 

20 detection and performance tuning;' 
21 



22 Thus Kranzlmuiler is concerned with the abstraction of large data volumes into smaller sets that 

23 can be visualized effectively. KranzlmuISer is not concerned with generating a variety of views 

24 onto the data set, along different attribute axis, without abstraction or reduction, as in claims 1 - 

25 20. There is apparently no reason to combine Ma with Kranzlmuiler except in an attempt to find 

26 elements of claims I -20 using hindsight. This is not allowed. Besides even the combination 

27 does not make claims 1-20 obvious. 
28 

29 Most particularly, besides the differences stated in previous responses, the combined art is not 

30 concerned with superimposing and cross-referencing different visualizations of the same data, as 

3 1 in claims 1-20. Combining Kranzlmuiler with Ma does not overcome the argument made in 
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1 previous responses and in this response. Thus claims 1-20 are allowable over the cited combined 

2 art. 
3 



4 Claim J: 

5 Ma teaches a method of mom taring events in a computer network, the method 

6 comprising: Said computer network triggering said events, each event being provided 

7 with attribute values allocated to a given set of attributes of said each event (The term. 

8 'i < '•" * ,'.'/. wayJl i its dloJi. 4d.HfJ.lL * (IJ.'J. ' - 1 - 'eh < - /! 

9 the ..pattern • ijesj eh t t > or \aj?hm \ LopjSSlS wevt '' 

1 0 pattern attributes for a plumb!) > of data objects are also related to the data object 

1 1 attributes as a pal fern is computed from the plurality of data objects. The cited reference 

1 2 teach mapping a plurality of data attributes to item to identify correlation 's across 

13 different hosts and event types by using the mapping that maps the pair of event type and 

14 host name to item and eaves key empty. See Page 1 1. Moreover the cited reference in 

15 Page 1, second paragraph, explicitly teaches the attribute values, see the last paragraph 

16 of Page 6 and the first and second paragraphs of Page 8, the last paragraph of Page 12, 

1 7 ami the real data set collected from a production computer network containing thousands 
.1 8 of managed nodes including routers, hubs and servers are described in the last 

19 paragraph of page 3 and ia tig i e\s • atterns tat cai >e used for real- 

20 time moni tori ng is described in the second paragraph of page 3. Ma has also taught a 

21 plurality of pattern attributes related to the one or more significant measurements such 

22 as the cooccurrences, i.e., the total number of times that two hosts generate events 

23 within a predefined time window, the conditional probability of the two hosts, i.e., the 

24 probability of a host generating an event given the observation that the other host has 

25 generated an event, the chi-squared test and so on); Simultaneously monitoring various 

26 event attributes versus the arrival time of said c\ ents (e.g., I nk lay s two 

27 d:j\ V.-:-: OiU Svi'.-y r;r th, : !y;/'%. ifjgs ;;;/;;/•/ vV. .U V.;r,7 A ,s //;, f>"\' name :'li t d>;{! K US 

28 ell a > ohu in ' • ih\ < h < ml la n/unuoujoiim , i . ,'>,,, , 

29 ptest.s / 1 { i 1 1 t -/ / < * / 

30 i / ". ' h e i > '< ' s 1 ' <// \> \ > >t t 

3 I plot. . of. Figs, .2. and 4i: Providing an event display with a cross plot having x andy 

32 coordinate axes, the x~axis presenting a time period and the y~axis present an attribute 

33 value range (e.g., The cited reference teach mapping a plurality of data attributes to item 

34 to identify correlations across different hosts and event types by using the mopping that 

35 maps the pair of event type and host name to item and leaves key empty. See Page IT 

36 Figs: 2, 4, 6, 7,9 and the third paragraph of Page 8 describes a scatter plot or cross plot 

37 having arty-axis representing around 160 hosts of a communication network and. the x 

38 axis has been described in the figures as well as the first paragraph of page 6; for 

39 attribute value range, see these figures as well as the description in the second 

40 paragraph of Page 8); Determining a primary attribute of the events selected from the 

4 1 gt ven set of attributes to be presented with its attribute values on the y-axis of the cross 

42 plot (e.g.. The cited reference teach mapping a plurality of data attributes to item to 

43 identify correlations across different hosts and event types by using the mapping that 

44 maps the pair of event type and host name to item and leaves key empty. The attributes 

45 including the categorical attributes or temporal attributes and the primary attribute 
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1 values are displayed in Figs, 2, 4, 6 and 7 and multiple attributes are described in the 

2 last paragraphs of Page II and 12). 

3 Allocating a first display label (e.g., one of the colors indicating the patterns such as the 

4 Pattern f Patient 2. Pattern 3 and Pattern 4 as marked in (he scatter plot or the cross 

5 plot of Figs, 2, & 7 and 9 such as 'Link down of host A " and 'node down of host B ") to 

6 the events (e.g., alarms in Page 10) indicating (mapping of the attributes wherein the 

7 mapping results are shown in the plots with the patterns identifying indicating the 

8 attribute values of the primary attribute related to the categorical attribute such as the 

9 host A or the host £. Moreover, the pattern attribute values identify nig the pattern I and 
10 the pattern 2 also describe the primary attribute such as the host A and the host Bfor the 
1.1 patterns such as ''Link down (ghost A " and "node down of host 8 ") (he attribute values 

12 of the primary attribute (e.g., co-occurrence of certain events or the categorical attribute 

1 3 and event type associated with the events wherein the primary attribute is related to the 

! 4 primary attribute of the data set or the primary attribute of the patterns, See Page 12 and 

15 (hi kc) at in hut i values are described in the second pa; •graph of page 3), providing a. 

1.6 pattern algorithm (the pattern algorithm is described in Fig. 7 as well as the mining 

17 algorithm as described in the last paragraph if page 12 or the live nt Miner for ntd, 

! 8 categorical values wherein the event gene rating, say e\-ery 300 seconds, 'may be 

19 identified) to detect whether art arrived event (arrived event arc the selected event objects 

20 or the selected data objects in specific time range related to the events progressively 
21. haded from a database or the mining alarm logs in a real time system, ' see first 

22 paragraph of page 13 and the last paragraph of page 10 and a new query (has retrieves 

23 the relevant data objects for more analysts in which a new query is restricted to a range 

24 constraint for a numerical attribute; see the last paragraph of page 10) is part or the 

25 given pattern (is part of the given pattern such as the Pattern 1 or the Pattern 2 from the 

26 identifiable patterns such as the SNMF request, authentication fat lure, link up, link 

27 down, port up, port down, wherein authentication failure indicates a passible security 

28 nfriisi id 1 \j is, iatedjyjth , s 

29 aw\ih On i/ihiti ^ > </m tth the event} on the basts of a iompatnon of the 

30 attributes allocated to the given pattern and of the attributes assigned to the arrived 

31 event (e.g.. the co-occurrence measurements for events can be computed for the. data sets 

32 or the data objects and the temporal correlation with the selected hosts from the other 

33 side of the Attribute Viewer can be identified using the color linkage by the coloring and 
3 4 filtering algorithm or the data mining algorithm in which the difference or similarity in 

35 terms of patterns indicated by colors is compared: see page 12-13), providing a mapping 

36 algorithm to map any attribute value of an attribute selected from the given set of 

37 attributes onto the y~axis of the cross plot (see the fast paragraphs of Page 11-12; The 

38 cited reference teach mopping a plurality of data attributes to item to identify 

39 correlations across di fferent hosts and event types by using the mapping that maps the 

40 pair of event type and host name to item and leaves key empty). Allocating a second 

41 display label (e.g., one of the colors indicating (he patterns such as the Pattern I, Pattern 

42 2, Pattern 3 and Pattern 4 m marked in the scatter plot or the cross plot of logs. 2, 6, 7; 

43 SNMP request, authentication failure, link up, link down port up, port down wherein. 

44 authentication failure indicates a possible security intrusion may he used as display 

45 labels as well. The attribute values may be used as display labels as welt) to the events 

46 indicating tt tc attn hue i \tfues of the attributes being uncovered (discovered) as pan of 
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1 the given pattern (e.g. the co-occurrence measurements for events can he computed and 

2 the temporal correlation with the selected hosts from the other side of the Attribute 

3 I '/ewer ear/ he identified using the color linkage by the coloring and (dieting algorithm 

4 or the data mining algorithm in which the difference or similarity in terms of patterns 

5 indicated by colors is compared; see page 12-13; the display labels indicate the attribute 

6 values of the attributes being discovered as part of the given pattern, tor example, the 

7 second host was near a critical level for a kev metric indicates /he attribute values of the 

8 attributes being discovered as part of the given pattern), plotting all the events arrived 

9 within the time period and including an attribute value alien oted to the primary attribute 
10 into the cross plot with the first display label indicating the primary attribute, the 

1.1 position of the first display label of each event in the cross plot being determined on the 

12 basts of the attribute value of the primary attribute of the event and its arrival time (e.g., 

13 The cited re ference leach mapping a plurality o f data attributes to item to identify 

!4 correlations across different hosts and event types by using fht , 7 7 that maps the 

1 5 pair of event type and host name to item and leaves key empty. Figs. 2, 4, 6, and 7 and 

1.6 the related paragraphs mentioned above in "allocating a first display label ". e.g., one of 

17 the colors indicating the patterns such as the Pattern 1, Pattern 2. Pattern 3 and Pattern 

1 8 4 as marked in the scatter plot or the cross plot of Figs. 2, 6, 7; SNA IP recptest, 

19 authentication failure, link up, link down, port up, port down wherein authentication 

20 failure indicates a possible security intrusion may be used as display labels as welt. The 

21 attribute values may be used as display labels as well}, and Plotting the all events arrived 

22 within the time period (Figs. 2, 4, 6, and 7 plot the all events within a specific time range) 

2 3 mid being detected by means of the pattern algor ithm (by the even t miner algor ithm) as 

24 part of the given pattern into the cross plot with the second display label (e.g. one a the 

25 colors indicating the patterns such as the Pattern I, .Pattern 2, Pattern 3 and Pattern 4 as 

26 marked hi the scatter plot or (he cross plot of Figs. 2, 6, 7 and 9 or Pattern 2 or the 

27 Green Spike in Fig. 10, the posit urn of the second display label of each event in the cross 

28 plot being determined by the mapping algorithm on the basis of the attribute value of the 

29 attribute of the event (see Figs. 1 -10) on the basis of the attribute value of the attribute of 

30 the event being uncovered (uncovered far example in the alarm log and uncovered by the 

3 1 mining algorithm) as pan of the given pattern and its arrival time (discovered as part of 

32 the given pattern such as Patterns J -4 and its arrival time: all the selected events are in a 

33 specific time range as plotted in Figs. 2, 4, 6, 7 and 10). 

3 4 In other words, Ma dis closes an apparatus and system for monitoring events in a 

3 5 computer network enabling <• in operator if an intrusion-detection system to 

36 simultaneously monitor various event attributes versus the arrival time of the events, for 

37 example, authentication failure indicates a possible security intrusion may be used as 

38 display labels. The cited prior art /caches in Fig. 7 and (he last paragraph of the Page 12 

39 plotting the primary attribute (e.g., with the attribute values indicating the troublesome 

40 hosts having significantly high event counts) versus time with the attribute values for 

4 I events in a communication network and the primary attribute for a host is selected from a 

42 plurality of attributes related to the categorical values, the one or more significant 

43 measurements such as the co-occurrences (i.e., the total number of times thai two hosts 

44 generate events within a predefined time window), the conditioned probability of the two 

45 hosts (i.e., the probability of a host generating an event given the observation that the 

46 other host has generated an event) , the chi -squared test and so on. 
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1 Fig. 4 shows (he coloring of the events having the primary attribute with the patterns 

2 indicating the authentication failure andSNMP request in order to differentiate using the 

3 coloring the events with authentication failure from other events. A. pet/tern label is 

4 assigned to the events falling into the same pattern. Finally, the operator can view 

5 different event attributes by switching menus d ig. 6). 

6 Ma has taught in Fig. 7 and the last paragraph of the Page 12 plotting the primary 

7 attribute (e.g.. with the attribute values indicating the troublesome hosts having 

8 significantly high event counts) versus time with the attribute values for events in a 

9 communication network. Ma has also taught a plurality of attributes related to the one or 

10 more significant measurements such as the co-occurrences (i.e., the ratal number of times 

11 thai two hosts generate events within a predefined time window >, the conditional 

12 probability of the two hosts (i.e., the probability of a host generating an event given the 

1 3 observation that the other host has ge tie rated an event), the chi -squared test and so on 
!4 wherein the attribute values are plotted at the same plot. See Figs. 2. 6, 7 and 9. Many 

15 significant event patterns are simultaneously identified within a single plot without the 

16 operator 's switching between the various event attributes. 

1 7 Ma discloses display label including the. colors for coloring the. different patterns that 

! 8 indicate the attribute values of the primary attribute such as the co-occurrences of some 

1 9 specific events within a prede fined time window. 

20 Md teaches hi Fig ..JfM. displays pypd attributes for t he [.events, [ Figs. 2 [and 4 

21 ->> 1 \ tx.iS..I.S.JJ.?S. ^itlS. o UJ Oi d a • ■■■ ell a • < . (onngpfq hji , , ,? - 

22 "atith ■ i ci e fore at 

23 h ' veM am • ssm >>> has 1 . \ mi ••• • » it <h .am a imv, 

24 bee-/ m>i ( • .-. . mil 'tdinihcj a t i tg\ 2 and 4 / he menu options shou n in 

25 Fig. 6 allow far the y-axis attribute mappings be changed. Moreover, Ma teaches 

26 mapping a plurality of attributes to item and viewing both numerical at tribute and 

27 categorical attribute on a same plot in Fig. 7 (See Page JO). Thus, Ma at feast teaches or 

28 suggests the claim limitation of viewing a secondary attribute of said each event together 

29 with the primary attribute on said display. 

30 Moreover, Kramlmuller teaches viewing a plurality of attributes P0~P7for the events in 

3 1 a communication network. Kramlmuller teaches viewing a secondary categorical 

32 attribute (e.g., an event belonging to the category P0) of said each event together with 

33 the primary categorical attribute (e.g., an event belonging to the category Pi) on said 

34 display (See Page 109 Fig. 2). 

35 // would have been obvious to one of the ordinary skiff in the art at the time the 

36 invention was made to have incorporated Kramlmuller 's teaching into Ma to view a 

37 plurality of 'attributes related to the events on the same display because Ma at least 

38 suggests the claim limitation of viewing a secondary attribute of said each event together 

39 with the primary attribute on said display at least by the means of mapping of the 

40 secondary attribute and coloring the secondary attribute and therefore the secondary 

41 attribuh and (Ik pitman attiibuk are distinah view ed 'See I igs 2 and 4 of \ia 

42 ' / a in • >tlor\ attributes itt, > > x" \icv nigh tih 

43 menu option^ a>e used m t igs {> <>j Ma ta sn tub th t'/imat) atinbutc ;■> hie ano/fn i 

44 in ' a \ >' , di ittilhik , < , . d < >F < < a ' >am m ■> : a >W 

45 ' hi pc /•/•. d and dry i i > > , -••</ the v /,<>/<•• dapl 
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1 _ One of the ordinary skill in the art would have been motivated to do so such that the 

2 inter-process dependency among events and event categorical attributes are visualized 

3 {Kranzlmtdkr Page 109). 
4 

5 In response, the applicants respectfully state that the combined an of Ma and KranzlmuHer 

6 apparent!) 1 do not make claim 1 obvious. Claim 1 as amended reads: 

7 1 . A method of monitoring events in a computer network, the method comprising: 
8 

9 said computer network triggering said events, each event being provided with attribute 

10 values allocated to a given set of attributes of said each event, 
11 

12 simultaneously monitoring various event attributes from said given set of attributes 

1 3 versus the arrival time of said each event, 
14 

15 providing an event display with a cross plot having x and y coordinate axes, the x-axis 

16 presenting a time period and the y-axis presenting an attribute value range, and 

1 7 visualizing data along said x and y coordinate axes, said axes being attribute axes, 
18 

1 9 determining a primary attribute of said each event selected from the given set of 

20 attributes to be presented with its attribute values on the y-axis of the cross plot, 
21 

22 allocating a first display label to the events indicating the attribute values of the primary 

23 attribute, providing a pattern algorithm to detect whether an arrived event is part, of the 

24 given pattern on the basis of a comparison of the attributes allocated to the given pattern 

25 and of the attributes assigned to the arrived event, providing a mapping algorithm to map 

26 any attribute value of an attribute selected from the given set of attributes onto the y-axis 

27 of the cross plot, 
28 

29 allocating a second display label to said each event indicating the attribute values of the 

30 attributes bei ug uncovered as part of the given pattern, 

31 
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1 plotting all events that arrived within the time period and including an attribute value 

2 allocated to the primary attribute into the cross plot with the first display label indicating 

3 the primary attribute, the position of the first display label of said each event in the cross 

4 plot being determined on the basis of the attribute value of the primary attribute of the 

5 event and its arrival time, 
6 

7 plotting all events that arrived within the time period and being detected by means of the 

8 pattern algorithm as part of the given pattern into the cross plot with the second display 

9 label indicating the given pattern, the position of the second display label of said each 

1 0 event in the cross plot being determined by the mapping algorithm on the basis of the 

1 1 attribute value of the attribute of the event being uncovered as part of the given pattern 

12 and its arrival time, 
13 

14 viewing a secondary attribute of said each event together with the primary attribute on. 

15 said display; and 
16 

17 automatically generating a large variety of visualizations along other attribute axes, and 

18 identifying correlations by superimposing and cross-referencing these visualizations. 
19 

20 The applicant respectfully take particular exception with the alleged equivalency of elements in 

2 1 claim 1 and the cited art, and take exception with the Examiner assertions. For example, claim 1 

22 shows that the attribute are event attributes, and to show explicitly that it includes 

23 "simultaneously monitoring various event attributes versus the arrival time of each the events," 



24 and to specifically add a step of 'viewing a secondary attribute of said each event together with 

25 the primary attribute on said display./' This apparently more clearly distinguishes claim I from 

26 the cited reference. Thus claim 1 and all claims that depend thereupon are allowable over Ma. 
27 

28 Claim 1 - 20 state that the value of the visualization is derived from generating multiple 

29 visualizations along different attributes and using those to identify interesting event patterns by 

30 superposition and cross-referencing. 
31 
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1 A review of Ma and Kranzlmuller show that even the combination does not steps of claim I . 

2 The combination does not do the steps of automatic generation of multiple visual izations and 

3 providing means for cross-referencing. Thus the combined art does not make claim 1 obvious, 

4 and claim 1 and aii claims depending on claim 1 are allowable. 



5 

6 Re Claims 2-3: A-f a further discloses selecting the new events within the specified time 

7 period and plotting the new events within the shifted time period into the cross plot See 

8 Figs. 6, 7, 9 and 1 0 in which events in the two time periods are drawn and the spikes are 

9 identified and the newly selected events are redrawn as determined h) 1 the data mining 

10 algorithm for the time period dining which the new events are retrieved. The database 

1 1 records- the attribute values and the arrival tune of a new event. The pattern algorithm 

12 determines on the basis of the recorded attribute values of event whether or not the newly 

1 3 arrived event nt the database and the newly retrieved event from the database includes 

14 an attribute value of the primary a {tribute for a certain host and event type, as 

1 5 determined the pattern algorithm using the mapping mechanism for mapping a plurality 

i 6 of attributes including the primary attribute into an hem for presentation, and the pattern 

17 algorithm also determines if the newly arrived event e.g. . alarm, includes the attribute 

1 8 value for the primary attribute, e.g., a certain host or a certain event type including 

1 9 SNMP request, authentication failure link up, link down, port up, port dow n, fink dawn of 

20 host A, node down of host B etc., shifting the x-axis of the cross plot for the new time 

21 period so thai the ne w time period being presented on the x~axi$ covers the arrival t ime 

22 of the event and plotting the event arrived within the shifted time, period into the cross 

23 plot with the first display label indicating the primary attribute. 

24 Ma discloses determining on the basis of the recorded attribute values of event horn the 

25 alarm log or the database whether or not the newly arrived event for the new time period 

26 /.v part of the given pattern using the pal tern algorithm on the basis of a comparison of 

27 the attributes allocated to the given pattern, for example a composite pattern of Page 13, 

28 on the basis of a comparison analysis, and of the attribute assigned to the arrived event 

29 wherein the newly arrived event are determined by the retrieval time ranges and data 

30 ranges including She host names and types from the database. Ala further discloses 

3 1 determining if the newly arrived even! includes an attribute value of the given pattern 

32 including the mutual dependence measurement of an m-pattern adding the event to the 

33 previous events being detected as part of the given pattern, and redrawing ah the events 

34 being associated with given pattern in the cross plot bv updating the cross plot. 
35 



36 In response, the applicant respectfully take particular exception with the alleged equivalency of 

37 elements in claims 2 and 3 and the cited art, and take exception with the Examiner assertions, 

38 This is in regard to use of words in the claims attributes, primary, events, display label etc The 

39 present invention in 2 and 3 is not anticipated or made obvious by S. Ma, et al. As noted Ma's 

40 method is apparently that only one of the event attributes may be plotted versus the arrival time of 

41 the events. Thus, the operators have to switch continuously between the various event attributes 
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1 to make sure that they do not miss a significant event attribute or attributes or their simultaneous 

2 display. Ma is not concerned with the 'primary attribute' nor for a plurality of event attributes, as 

3 in claims 2 and 3. The addition of Kranzl muHer apparently does nothing to make these obvious. 
4 

5 Also, the office communication states the visualizations are generated for any type of attribute, or 

6 combination of several, recorded with the event data. A review of Ma and KranzlmuHer show 

7 that the art still is concerned with data along a temporal axis. Thus, claims 2 and 3 are allowable 

8 over Ma and KranzlmuHer in themselves and because each depends on allowable claim 1 . 



9 

10 Re Claims 4-5: Ma further discloses the third display label and the fourth display label 

1 1 indicating the new patterns (See the three colored spikes in f ig. 6 and the jour patterns 

12 in Fig, 7). 

13 Mi discloses determining if the newly arrived event does not include an attribute value 

1 4 of the given pal tern, on the basis of the recorded attribute values of all previous arrived 
.1 5 events from the alarm logs or from (he database, by means oft the mining algorithm 

16 whether or not the newly arrived event is part of a new pattern on the basis of a 

17 comparison (Page 13) of the attributes allocated to the new pattern and of the attributes 

18 assigned to the arrived events. Ma discloses allocating a third display label to the events, 

1 9 including the coloring of the new pattern, indicating the attribute values of the attributes 

20 being discovered as part of the new pattern wherein a large amount of patterns cart he 

21 discovered by the mining algorithms. Ma discloses plotting the all events being detected 

22 by means of the mutiny algorithm as part of the new pattern into the cross plot with the 

23 third display label indicating the new pattern ti ?e position of the third disph ty la be I of 

24 each event in the cross plot being determined by the mapping algorithm (Page 12 for the 

25 mapping of the attributes into item and thereby determining the positions of the patterns 

26 on the cross plot) on the basis of the attribute value of the attribute of the event (event 

27 types, host names etc.) being uncovered as part of the new pattern, such as SNMP 

28 request authentication failure, link up, Link down, port up, pore. down, link down of host 

29 A, node down of host B etc, and its arrival time in the database, 

30 Met discloses removing all the events including an attribute value allocated to the 

3 1 primary attribute from the cross plot, if a primary attribute to be presented with its 

32 attribute values on the y-axis of the cross plot is changed (if the mapping mechanism for 

33 mapping a plurality of attributes including the host names and event types are changed), 

34 allocating a fourth display label including SNMP request, authentication fat v e, link up, 

35 link down, port up, port down, link down of host A, node dawn of host B etc., to the 

36 events indicating the attribute values of the new primary attribute (e.g., category 

37 attribute, event type of data objects). Ma discloses plotting all the events arrived within 

38 the time period as retrieved from the database and including an attribute value allocated 

39 to the new primary attribute into the cross plot with the fourth display label, including 

40 SNMP request, authentication failure, link up, link down, port up, port down, link down 
4 1. of host 4, node down of host B etc. , indicating the new primary attribute, such as the host 
42 name and event type the position of t >rt 'isp 'abel of each event in the cross 



DOCKET NUMBER; CH92002-0049US1 



29/37 



Sena! No.: 10/798,070 



1 plot being determined by the mapping mechanism in Page 12 on the basis of the attribute 

2 value of the primary attribute of die event ana' its arrival time as determined by the 

3 retrieval condition from the database. 
4 

5 in response, the applicant respectfully take particular exception with the alleged equivalency of 

6 elements in claims 4 and 5 and the cited art, and take exception with the Examiner assertions. 

7 This is in regard to use of words in the claims attributes, primary, events, display label etc. The 

8 present invention in 4 and 5 is not anticipated or made obvious by S. Ma, et al . As noted, 

9 applicants respectfully state that the indicating of new patterns in Ma, is not the steps of claim 4. 
10 Ma and Kranzlmuller do not test as in claim 4, "if the newly arrived event does not include an 

1.1 attribute value of the given pattern/' Nor do Ma and Kranzlmuller determine, "on the basis of the 

12 recorded attribute values of all previous arrived events by means of the pattern algorithm 

13 whether or not the newly arrived event is part of a new pattern on the basis of a comparison of 

14 the attributes allocated to the new pattern and of the attributes assigned to the arrived events." 
1.5 Nor do Ma and Kranzlmuller test, "if the newly arrived event forms together with previous 

16 recorded events the new pattern," Nor do Ma and Kranzlmuller allocate, "a third display label to 

1 7 the events indicating the attribute values of the attributes being uncovered as part of the new 

1 8 pattern." Certainly, Ma and Kranzlmuller does apparently not perform the step of, "plotting the 

1 9 all events being detected by means of the pattern algorithm as part of the new pattern into the 

20 cross plot with the third display label indicating the new pattern, the position of the third display 

21 label of each event in the cross plot being determined by the mapping algorithm on the basis of 

22 the attribute value of the attribute of the event being uncovered as part of the new pattern and its 

23 arrival time. 
24 

25 Similarly, Ma with or without Kranzlmuller are not concerned with a 'primary attribute nor with 

26 the step of clai m 5 , of removing all the events ..including an attribute value allo^ 

27 primary attribute front th if a primary attribute to be presented with its attribute 

28 values on the y-axis of the cross plot is changed, allocating a fourth display label to the events 

29 indicating the attribute values of the new primary attribute," nor with the step of, "plotting all the 

30 events arrived within the time period and including an attribute value allocated to the new 

3 1 primary attribute into the cross plot with the fourth display label indicating the new primary 

32 attribute, the position of the fourth display label of each event in the cross plot being determined 
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1 on the basis of the attribute value of the primary attribute of the event and its arrival time," nor 

2 with the step of "if a primary attribute to be presented with its attribute values on the y-axis of 

3 the cross plot is changed, allocating a fourth display iabel to the events indicating the attribute 

4 values of the new primary attribute, and plotting all the events arrived within the time period and 

5 including an attribute value allocated to the new primary attribute into the cross plot with the 

6 fourth display label indicating the new primary attribute, the position of the fourth display label 

7 of each event in the cross plot being determined on the basis of the attribute value of the primary 

8 attribute of the event and its arrival time. 
9 

1 0 Also, for example, the office communication states "the application of data mining algorithms, 

1 1 which are then used to generated multiple different visualizations A review of Ma and 

12 Kranzlmuller show that even the combination does not equal that generation of multiple 
1.3 visualizations for cross-referencing. Thus claims 4 and 5 are allowable over Ma and 

14 Kranzlmuller in themselves and because each depends on allowable claim 1 . 



15 

1.6 Re Claim 6: Ma junker discloses the operator selects the events to be plotted and 

1 7 displaying textual and coloring information associated with the selected events on the 

1 8 event display (Page 4 and Figs. 6, 7, 9- /0). 

1 9 Ma discloses plotting all attribute values, including the attributes! such as event type, 

20 link down, and host name, host A, in the patterns marked as the link down of host A, node 

21 down of host B, recorded for an event, as retrieved from the database, with the respective 

22 display label into the cross plot iff he event is selected by an operator and displaying 

23 textual information associated with the selected event on the event display. 
24 



25 In response, the applicant respectfully take particular exception with the ai leged equivalency of 

26 elements in claim 6 and the cited art, and take exception with the Examiner assertions. 

27 In response, applicants respectfully state that exception is taken with the so called equivalencies 

28 of elements in Claim 6 and the cited art. This is in regard to use of words in the claims 

29 attributes, primary, events, display label etc. The present invention in claim 6 is not anticipated 

30 by S. Ma, et ai As noted, applicants respectfully state that Ma is not concerned with the test and 

3 1 step of claim 6 of, ^plotting all attribute values recorded for an event with the respective display 

32 label into the cross plot if the event is selected by an operator, and displaying textual information 

33 associated with the selected event on the event display. 
34 
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1 Also, a review of Ma and KranzlmuHer show that the user has to guide the visualization 

2 manually. Thus claim 6 is allowable over Ma and Kranzlrauiler for itself and because it depends 

3 on allowable claim 1. 
4 



5 Re Claim 7: Ma further discloses a pattern algorithm such as the data mining algorithm 

6 suitable to perform mult! ~ai •tribute pattern recognition (Figs. 6, 7, 9-10). 

7 Ma discloses the mining algorithm being suitable to perform muhi-ottt thute pattern 

8 recognition using the mapping mechanism (Page 12} and the pattern 

9 com] \ins< 'tis m > age 13). 
10 



11 In response, the applicant respectfully take particular exception with the alleged equivalency of 

12 elements in claim 7 and the cited art, and take exception with the Examiner assertions. The 

13 present invention in claim 7 is not anticipated by S. Ma. There is apparently no indication that 

14 Ma is concerned with multi-attribute partem recognition or even any pattern recognition, as in 

j 5 claim 7. Being allegedly suitable is indeed not an anticipation of the invention in. claim 7. Thus 

1 6 claim 7 is allowable over Ma and KranzlmuHer for itself and because it depends on allowable 

17 claim 1. 



IS 

.1 9 Re Claim 8: Ma further discloses using color such as Red and Green to color the 

20 pattern Spikes and Pattern /, Pattern 2, Pattern 3, Pattern 4 for specific mark layouts 

21 (Figs. 6. 7, 9-fO). 

22 Ma discloses each display label includes di fferent colors marking die events. 
23 



24 In response, the applicant respectfully take particular exception with the alleged equivalency of 

25 elements in claim S and the cited art, and take exception with the Examiner assertions. A review 

26 of Ma and KranzlmuHer show that even the combination does not have the elements as in claim 

27 8. Thus, claim 8 is allowable over Ma and KranzlmuHer for itself and because it depends on 

28 allowable claim L 



29 

30 Re Claim 9: Ma farther discloses ail events being uncovered as part of the pattern being 

3 1 clustered by the display label such m Red Spikes, Green Spikes (Figs. 6, 7 and 9-10). 
3 2 Ma ( bscioses all e > ■enis being < hscovered as pan of the pattern as clustered by the 

3 3 different labels including Red Spikes and Green Spikes to indicate one of the phm ility of 

34 events such as SNMP request, authentication future link up, link down, port up, port 

3 5 down, link down of host A, node down of host B etc. , indicating the new primary 

36 attribute. 
37 
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1 In response, the applicant respectfully take particular exception with the alleged equivalency of 

2 elements in claim 9 and the cited art, and take exception with the Examiner assertions. There is 

3 apparently no indication that Ma is at all concerned with clusters or clustering as in claim c > 

4 Thus claim 9 is allowable over Ma and Kranzlmuiler for itself and because it depends on 

5 allowable claim 1. 
6 

7 Ri Claim 10 Ma further discloses a data mining atgoi , m mdCJiU (Pagi 14) Ma 

8 discloses the mining algorithm carrying the steps as recited in the claim 1. 
9 

10 In response, the applicant respectfully take particular exception with the alleged equivalency of 

1.1 elements in claim 10 and the cited art, and take exception with the Examiner assertions, The 

12 response to claim 1 is appropriate to claim 10 which depends thereupon. The program code is 

13 that of claim 1, which is not anticipated by Ma. Claim 10 is amended. Thus claim 10 is 

14 allowable over Ma and Kranzlmuiler for itself and because it depends on allowable claim I . 
15 

16 Re Claim 11: Ma further discloses the program code being stored on data carrier (see 

17 page 5). Data cattier is inherent within the computer embodiment of Page 5. 
IS 

1 9 In response, the applicant respectfully take particular exception with the alleged equivalency of 

20 elements in claim 1 1 and the cited art, and take exception with the Examiner assertions. 

21. Exception is taken with the stated mherentcy. There is apparently no indication that Ma or 

22 Kranzlmuiler discloses or is concerned with a data earner as in claim 1 1 . Thus claim 1 1 is 

23 allowable over Ma and Kranzlmuiler for itself and because it depends on allowable claim 1 . 



24 

25 He Claim 12: Ma farther discloses an event visualization device for monitoring events 

26 in a computer network (Page 3,1 the cited reference teach mapping a plurality of data 

27 attributes to item to identify correlations across different hosts and event types by using 

28 the mapping that maps the pair of event type and host name to item and leaves hey empty. 

29 See Page 1 1. Moreover the cited reference in Page /, second paragraph, explicitly 

30 teaches the attribute values, see the las/ paragraph of Page 6 and the first and second 

31 / ata^taphs ot Page s the last paragraph of Pagi 12 and tin set collected froui 

32 a production computer network containing thousands of managed nodes including 

3 3 routers, hubs and servers are described in the last / •< a agraph < 1 s >agt > at u I u ientifyin 

34 unknown event patterns that can be used foi reahtim mop taring is ck sat bat in tin 

3 5 second paragraph of page 3. 
36 



DOCKET NUMBER; CH92002-0049US1 



33/37 



Sena! No.: 10/798,070 



1 In response, the applicant respectfully take particular exception with the alleged equivalency of 

2 elements i n ci aim 1 2 and the cited art, and take exception with the Examiner assertions. The 

3 present invention in claim 12 is not anticipated by S. Ma. The response to claim 1 is appropriate 

4 to claim 1 2, which depends thereupon. The device is for performing the steps of claim 1 , which 

5 is not anticipated by Ma. Thus claim 12 is allowable over Ma and Kranzlmuller for itself and 

6 because it depends on allowable claim 1 . 



7 

8 Re Claims 13 and IS: Ma further discloses an implementation of the Event Miner 

9 algorithm, on the computer (Page 4-5). 
10 

1.1 In response, the applicant respectfully take particular exception with the alleged equivalency of 



12 elements in claims 1 3 and 15 and the cited art. and take exception with the Examiner assertions. 

13 In response, applicants respectfully state that exception is taken with the so called equivalencies 

14 of elements in Claims 1 3-16 and the cited art. The present invention in claim 13-15 are not 

15 anticipated by S. Ma. The response to claim 1 is appropriate to claim 13 and 15, which depends 

16 thereupon. Claim 14 is amended to be an independent claim of the Beauregard type, with all the 

1 7 elements of claim 1. , The implementations are for performing the steps of claim 1 , which is not. 

1 8 anticipated by Ma. Thus claims 13-15 are allowable over Ma and Kranzlmuller for itself and 

1 9 because it depends on, or has the matter, of allowable claim 1 . 
20 

21 

22 Claim 14: The claim 14 is subject to the same rationale of rejection set forth in the 

23 claim 1. 
24 

25 In response, the applicant respectfully take particular exception with the alleged equivalency of 

26 elements in claim 14 and the cited art, and take exception with the Examiner assertions Claim 

27 1 4 is amended as in claim 1 . The response to claim 1 is appropriate to amended claim 1 4. Thus 

28 claim j 4 is allowable over the combined art of Kranzlmuller and Ma. 
29 

30 Claim 16: The claim 16 is subject to the same rationale of rejection set forth in the 

3 1 claims 2 4. 
32 

33 In response, the applicant respectfully take particular exception with the alleged equivalency of 

34 elements in claim 16 and the cited art, and take exception with the Examiner assertions. There is 
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1 apparently no indication that Ma and Kranzhnuller perfomi the added steps of claim 16. The 

2 present invention in claim 16 is not anticipated by S. Ma. The response to claim 1 is appropriate 

3 to claim 1 6, which depends thereupon. The method is for performing more steps over the steps 

4 of claim L which is not anticipated by Ma. Thus claim 16 is allowable over Ma and 

5 Kranzlmuller for itself and because it depends on allowable claim 1 . 
6 

7 Claim 17: The claim 17 is subject to the same rationale of rejection set forth in the 

8 claim 5. 
9 

10 In response, applicants respectfully state that as with claim 5 exception is taken with the so 

1.1 called equivalencies of elements in Claim 17 and the cited art.. This is in regard to use of words 

12 in the claims attributes, primary, events, display label etc. There is apparently no indication that 

13 Ma and Kranzlmuller perform the added steps of claim 1 7. The present invention in claim 1 7 is 

14 not anticipated by S. Ma. The response to claim 1 is appropriate to claim 17, which depends 

15 thereupon. The method is for performing more steps over the steps of claim 16, which is not 

16 anticipated by Ma. Thus claim 1 7 is allowable over Ma and Kranzlmuller for itself and because 

1 7 h depends on. allowable claim 1 . 
18 

19 Claim 18: The claim 18 is subject to the same rationale of rejection set forth in the 

20 claims 2-4. 
21 

22 In respo st t . leant respectfully state that as with claims 2-4, exception is taken with the so 

23 called equivalencies of elements in Claim 1 8 and the cited art. This is in regard to use of words 

24 in the claims attributes, primary, events, display label etc. There is apparently no indication that 

25 Ma and Kranzlmuller has the added elements of claim 1 8. The present invention in claim 18 its 

26 not anticipated by S. Ma. The response to claim 1 is appropriate to claim 18, which depends 

27 thereupon. The device is for more elements than claim 5, which is not anticipated by Ma. Thus 

28 claim I S is allowable over Ma and Kranzlmuller for itself and because it depends on allowable 

29 claim i. 
30 

3 1 Claim 19: The claim 19 is subject to the same rationale of rejection set forth in the 

32 claim 5. 
33 
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1 In response, applicants respectfully state that as with claim 5 exception is taken with the so 

2 called equivalencies of elements in Claim 19 and the cited art. This is in regard to use of words 

3 in the claims attributes, primary, events, display label etc. There is apparently no indication that 

4 Ma and Kranzlmuller perform the added steps of claim 19 lias the added elements of claim 189. 

5 The response to claim 1 is appropriate to claim 17, which depends thereupon. The device is for 

6 more elements than claim 5, which is not anticipated by Ma. Thus claim 17 is allowable over Ma 

7 and Kranzlmuller for itself and because it depends on allowable claim 1 . 
8 

9 Claim 20: The claim 20 is subject to the same rationale of rejection set forth in the 

10 claim J. 

11 

12 In response, the applicant respectfully take particular exception with the alleged equivalency of 

13 elements in claim 20 and the cited art, and take exception with the Examiner assertions. As with 

14 claim 1, claim 20 shows that the attribute are event attributes, and to show explicitly that it 

1.5 includes "means for simultaneously monitoring various event attributes versus the arrival time of 

16 each the events," and to specifically include "means for viewing a secondary attribute of said 

17 each event together with the primary attribute on said display." This apparently more clearly 

5 8 distinguishes claim 1 and 20, from the cited reference. Thus claim 20 is allowable over Ma and 

19 Kranzlmuller. 

20 

21 It is anticipated that this amendment brings the application to allowance of claims 1-20. 

22 Favorable action is respectfully solicited. In the unlikely event that any claim remains rejected, 

23 please, contact the undersigned as required by the MPEP, by phone in order to discuss the 

24 application. 
25 

26 Please charge any other fee necessary to enter this paper to deposit account 50-05 1 0. 
27 



28 Respectfully submitted, 

29 
30 

3 1 By: /Louis Herzberg/^ 

32 Dr. Louis P. Herzberg 

33 Reg. No. 41,500 
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